Learn how to craft a TCR-compliant privacy policy that keeps your clients’ data safe

Privacy is a hot topic in the beauty industry right now. Your clients want the benefits of digital marketing, messaging, and personalization, but they also want to know that your self-care business is taking steps to keep their information safe in accordance with state and federal regulations.

Creating a privacy policy isn’t just a best practice — it’s a legal necessity. And if you’re using tools like Boulevard Messages to stay in touch with your most loyal clients, you must ensure that any privacy policy you create stays compliant with requirements set forth by The Campaign Registry (TCR). 

A well-crafted privacy policy won’t just help you avoid legal penalties; it’ll build and maintain trust with your clients over the long term. Here, we’ll walk you through why you need a privacy policy, the best tools available to help you create one, and how TCR fits into this equation.

What is a privacy policy, and why do I need one?

A privacy policy is a legal document stored on your self-care business website that explains how you plan to collect and use client data. 

As a business owner, you’re likely collecting a client’s email address or phone number to manage their profile, contact them about appointments, process payments, and deliver marketing messages. Your website is also probably collecting user data through cookies and trackers to determine how people find your website and what pages they visit while they’re there. Your privacy policy should explain how your business collects data, how it’s stored, how you plan on using it, and whether it will be shared or sold to other entities.

Having a detailed and transparent privacy policy on your website is a great way to instill trust in your clients that you plan to use their information responsibly. Many people are happy to hand over their email or phone number to stay in contact with your business, but they want to know that you’re not going to start spamming them with unnecessary messages or put them on a list they’ll never be able to unsubscribe from. Building a privacy policy — and sticking to it — lets them know that their data is in good hands.

The trust you’ll build with clients is reason enough to have a privacy policy in place, but you also need one to conform to various state, federal, and even global regulations regarding data handling and storage. For example, if you do business in California, you must ensure that any data you collect adheres to the California Consumer Privacy Act (CCPA). If you run a medspa, you’ll need to ensure data aligns with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). And if you plan on texting your clients, you need to meet requirements set by The Campaign Registry to achieve compliance with the Telephone Consumer Protection Act and Federal Communications Commission (FCC) regulations.

What is The Campaign Registry?

The Campaign Registry is an independent intermediary that helps businesses comply with the necessary legal requirements for SMS-based contact with consumers. Its goal is to reduce the amount of untrustworthy spam messages people receive and minimize the likelihood of fines and legal action for non-compliance.

To do this, TCR evaluates whether you have a secure website, visible contact information, transparent opt-in language for text messages, and a detailed privacy policy. If you meet all of its requirements, it classifies your business as trustworthy with the government and approves your phone number to start sending text messages. 

Usually, you’ll work with your SMS marketing platform (also known as a campaign service provider) to register with TCR. For example, if you plan to send texts through Boulevard Messaging, you’ll want to go through our TCR registration checklist, which includes creating a privacy policy. Once you submit your phone number’s TCR registration, we’ll submit your dedicated phone number for TCR approval. If everything looks good on TCR’s end, we’ll flag your account as approved, and you’ll be ready to start sending texts to your clients.

What do I need in my privacy policy?

Every business collects and uses client information in different ways. However, all privacy policies should follow this general structure:

• Start with an introduction that explains your business, who and what actions your policy applies to, and a list of terms you plan on using throughout the policy.

• Then, you’ll want to create a list of all personal data that you collect from clients. This list should be detailed and inclusive — if you miss something here, you may face legal action.

• You’ll also need a description of how you plan to collect data, whether that’s through online forms, payment processing, registrations, or even cookies on your website.  

• Some regulations (like GDPR) require you to list the legal basis for collecting personal data. For example, if you’re collecting data for the purposes of performing a contract, you will need to list this clearly within the document. Not all regulations will require this, so double-check with your available legal resources to see if this section is needed.

• You then need to explain how you plan to use personal data. Whether it’s for communication and marketing, payment, or personalization, you need to explain it here in straightforward, easy-to-understand language.

• You must also disclose if you plan to share or sell personal information with external parties.

• Even if you don’t cater to children, you need a clause that addresses child privacy. 

• Detail the privacy rights your clients have over their data and how they can access the data you collect. 

• Explain how you store and safeguard client data, as well as how long you retain it. 

• If your website uses cookies and trackers, you must have a section explaining what those cookies collect and why.

• If regulations (like the CCPA) require updating your privacy policy, you need a section explaining how you’ll notify clients when the policy changes. 

• Put links to other relevant legal documents here to make it easy for clients to find more information.

• You may not have any plans to sell your self-care business, but adding a business clause is a good CYA in case you ever need to transfer data to a different entity.

• Finally, include contact information in case clients need more information from you.

The language you use to draft your privacy policy should be clear and direct. Avoid jargon whenever possible so that anyone can understand what you plan to do with the data you collect.

Additionally, your privacy policy must meet the following requirements to be approved by TCR:

• Your privacy policy must explicitly state that no mobile details or personally identifiable information (PII) will be shared with third parties or affiliates for marketing or promotional purposes. If you do share PII with third parties, consider specifying the reasons why within your policy — otherwise, TCR may not approve your account. 

• It must be hosted under the same domain as your self-care business website.

• It must be located on its own dedicated page with a unique URL — something like selfcarebusiness.com/privacy-policy. The link must be in your website’s footer in a clear and distinct location.

• You can also include SMS consent disclosure language for added trust.

How can I make an effective policy?

If you’re looking for the most reliable way to craft a privacy policy, you should consult a legal advisor. They’ll help you look at all aspects of your self-care business and craft a policy that will cover all of your bases.

However, sole proprietors and small businesses may not have ready access to legal advice. Luckily, if you’re not collecting an unusual amount of data, you likely won’t need a lot of custom language to explain what you’re doing with it. In that case, a solution like Termly can design a free privacy policy for you. All you need to do is answer some basic questions, and Termly will fill in the blanks to generate a usable privacy policy in just a few minutes.

If you’re looking for additional help meeting TCR requirements, be sure to check out our TCR registration checklist. It’ll guide you through everything they look for, from using secure HTTPS domains to including a dedicated “About us” section with the required information. Visit our TCR Registration Checklist | Boulevard Support Center to also find examples of what an application rejection might look like, alongside advice on resolving any lingering issues. 

(The material contained in this article is provided for informational purposes only and should not be construed as legal advice. Be sure to consult with your business’ legal experts for any questions and to make sure your privacy policy is up to date and compliant.)